Black Friday Purchases Could Deliver Malware to Your Network

As shoppers rush out and buy the latest tech for their holiday gift giving – or order them online during Cyber Monday – they will never know the hidden dangers in what they purchased.

The Internet of Things is exciting and the cool tech provides some of the most coveted gifts every year but at what cost?

What people don’t realize is in the rush to market, rapid development cycles reveal compromises that can leave end users vulnerable to cyber threats.

The cartoon below was sent around our office depicting a number of IOT household appliances blackmailing their owner. This particular cartoon resonated with me because I think it highlights one of the problems with the rapid development that happens in the tech industry. With the need to get to market quickly, security is usually overlooked in the early days of product development, unsecure architectural decisions are made, product complexity increases and with it the potential attack surface.

Initially this isn’t a problem: the reality is the product doesn’t have enough traction in the market for an attacker to be bothered and so security continues to be one of those items on a PM feature list that never quite makes it up to the top of the priority list.

But later, when the product becomes popular and has successful market penetration, it eventually catches the eye of the wily hacker who pwns the product for profit. At this point, security becomes a top priority, but it quickly becomes clear that resolving the security issues in the product are too complex and expensive. Since the product architecture is not compatible with best security practice, a patch is made to protect the vulnerability that was exploited but little architectural change can happen to lock down as yet undiscovered vulnerabilities.

When the devices come to work.

As more devices become connected to the internet this problem increases rapidly. These devices come to the office and log on to your Wi-Fi and deliver the malware as part of the deal. Twenty years ago, when I started working as a developer, high profile hacks were the worry of a few elite organizations and nation states and few, if any, would be life threatening.

The closest Joe Public got to a high tech hack was watching cheesy Hollywood movies (anyone remember The Net?), you certainly didn’t have to worry about the security of your kettle. Now though as more of our lives become connected to the internet this has changed to a real risk for every individual and, as the recent attack on the NHS in the UK has shown, it has moved from being a rare inconvenience to a fully life threatening event.

Change is happening, but it takes time.

The good news is that some organizations have started to alter how they invest their development dollars in security. As an example the work Microsoft has done with Windows 10 Security is a great leap forward; for the first time security really is at the forefront of Microsoft’s development agenda and this is well illustrated by their partnership with us and their efforts with Credential Guard, Device Guard and Windows Application Guard.

Google too is doing good things such as using its immense web presence to eradicate architecturally insecure corners of the web; Chrome 53 is finally starting the process of eradicating Flash which has been a major cause of enterprise breaches for many years. Flash’s demise can’t come soon enough and with Google leading the way there is a good chance it will finally happen.

Governments are also showing signs of taking security more seriously. Here in the UK, where I am based, there was a recent announcement for £1.9b additional investment in cyber security which in a time of reduced public spending is a big deal. Government backed schemes such as the Bank of England’s CBEST has also helped organizations find their vulnerabilities.

At Bromium, security comes first.

For me the refreshing thing about working for Bromium over the last few years has been the attitude that security comes first. Developers are encouraged to push back on a feature and involve the security team if they are asked to code anything up which would soften up the products secure architecture. With peer code review for every commit, internal and external pen tests and security audits; even doing the hard thing and owning our own hypervisor built with security as a base principle. All this security is hard work for the development team and often means some feature won’t be delivered as quickly as it could be. The benefit: it makes it possible for Bromium to provide the world class security that it does.

As the world becomes more connected, we developers owe it to the people who are going to use the products we build to push the organisations we work for to take security seriously from the start.

James Wright is Senior Director of Engineering at Bromium and responsible for the delivery of Bromium's end point security products. He lives in Cambridge and enjoys technology, music, cycling and writing about himself in the third person. You can find out more about him on LinkedIn.